All Apps and Add-ons

Cisco Security Suite: What is the best logging level configuration for ASAs in our environment?

Contributor

Hello,

I am trying to see if the Cisco Security Suite will provide benefit in using the following logging levels or if they can be disabled:

logging buffered informational
logging trap informational
logging history informational
logging asdm informational

Ultimately, we are trying to tailor our logging to fit Splunk and I am trying to see what the best logging configuration is for the ASA's in our environment to be set at to provide the best visibility. It sounds like not necessarily everything needs to be enabled though. Where do I find this information?

Thank you!

SplunkTrust
SplunkTrust

So for an ASA sending data to Splunk the only one of those destinations that matters is "trap". The logging to buffered, or history, or adsm do not go to syslog and then to Splunk. A better question is whether you should be logging at 'informational' or 'debug'. In most ASA setups, you really need the 'debug' level logging in order to get the (highly highly highly) verbose connection opened / closed logs. Otherwise you may only denies - which are maybe not as useful.

New Member

dwaddle,
Are you saying use this setup for ASAs in order to get the most useful information? Normally on other systems I refrain from debug except when troubleshooting due to the extreme volume of logs that are created. Is that true with Cisco? I have concerns about overunning my 50 GB per day quota. We have two 5585s on a 200MB per second MOE circuit.

Send Debug Log Messages to a Syslog Server
For advanced troubleshooting, feature/protocol specific debug logs are required. By default, these log messages are displayed on terminal (SSH/Telnet). Dependent on the type of debug, and the rate of debug messages generated, use of the CLI might prove difficult if debugs are enabled. Optionally, debug messages can be redirected to the syslog process and generated as syslogs. These syslogs can be sent to any syslog destination as would any other syslog. In order to divert debugs to syslogs, enter the logging debug-trace command. This configuration sends debug output, as syslogs, to a syslog server.
logging trap debugging
logging debug-trace
logging host inside 172.22.1.5

From

0 Karma

SplunkTrust
SplunkTrust

So the thing you'll get from an ASA in debug mode is per-connection open and close events. These look like this:

Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>)
Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>)
Dec 11 08:01:31 <IP> %ASA-6-302014: Teardown TCP connection 447236 for outside:KAV_Update_Server/<port> to dmz:OCSP_Server/<port> duration 0:00:00 bytes 14804 TCP FINs
Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs
Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs

And some others - these are just examples. But, the point being, for forensic purposes these logs are invaluable. But, they do take up a lot of license quota - because of their verbosity and getting two events minimum for every connection through the firewall. The original question asked about the "best" logging level for ASAs, and I took that to mean "the one that provides the most useful forensic details available"